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REMARKS 

Claims 72 to 1 16 are now pending. 

Applicants respectfully request reconsideration of the present application in view of 
this response. 

Applicants thank the Examiner for considering the Information Disclosure 
Statements, PTO-1449 forms and related references. 

With respect to paragraph one (1) of the Final Office Action, the objections was not 
ignored in the prior response. It was traversed since it was believed and respectfully 
submitted that the present specification fully complies with Rules 52(a) and 52(b), and it was 
stated that the Application has been reviewed, and it was not understood how the 
specification is not a proper English translation. It was also stated that if the Office insisted 
on a Substitute Specification, it was respectfully requested that the Office specifically identify 
how the present application does not satisfy the statutory and rule requirements, since no 
examples were provided in the Office Action. It was also noted that the assignee of the 
present application has previously submitted many cases that were considered proper. It is 
not understood how the present application does not satisfy any specific statutory or 
regulation requirements, and it is therefore not understood what would be changed. It was 
therefore respectfully requested that the Substitute Specification requirement be withdrawn. 

In view of the current comments, while the objection to the use of the terms "means" 
and "said" in the specification may not be agreed with, a Substitute Specification 
accompanies this response, in which "said" has been changed to "the", and in which "means" 
has been changed to apparatus or arrangement. 

In particular, in accordance with 37 C.F.R. § 1.125, the Substitute Specification 
contains no new matter. The amendrnents reflected in the Substitute Specification are to 
conform the Specification to U.Sr^ate^^iH'Trademark Office rules or to correct 
informalities. As required by 37 C.F.R. § 1.121 and § 1.125, a Marked Up Version Of The 
Substitute Specification comparing the Specification of record and the Substitute 
Specification also accompanies this response. In the Marked Up Version, underlining 
indicates added text and "strike-throughs" and double-brackets indicate deleted text. 
Approval and entry of the Substitute Specification is respectfully requested. 
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It is therefore respectfully requested that the objections be withdrawn as to the 
specification in view of the submission of the Substitute Specification. 

With respect to paragraph three (3), claim 79 were rejected under the second 
paragraph of 35. U.S.C. § 1 12 as indefinite, because it included multiple spaces between the 
words "from" and "the" in the "second storing means" clause of claim 79. While the 
rejection may not be agreed with, to facilitate matters, claim 79 has been corrected as 
suggested. 

With respect to paragraph five (5), claims 72 to 116 were rejected under 35 U.S.C. § 
102(b) as anticipated by Samson, U.S. Patent No. 5,287,408. 

As regards the anticipation rejections of the claims, to reject a claim under 35 U.S.C. 
§ 102(b), the Office must demonstrate that each and every claim feature is identically 
described or contained in a single prior art reference. (See Scripps Clinic & Research 
Foundation v. Genentech Inc., 18 U.S.P.Q.2d 1001, 1010 (Fed. Cir. 1991)). Still further, 
not only must each of the claim features be identically described, an anticipatory reference 
must also enable a person having ordinary skill in the art to practice the claimed subject 
matter, as discussed herein. (See^fcro, N.V. v. U.S.IT.C, 1 U.S.P.Q.2d 1241, 1245 (Fed. Cir. 
1986)). 

As further regards the anticipation rejections, to the extent that the Office Action may 
be relying on the inherency doctrine, it is respectfully submitted that to rely on inherency, the 
Examiner must provide a "basis in fact and/or technical reasoning to reasonably support the 
determination that the allegedly inherent characteristics necessarily flows from the teachings 
of the applied art." ( See M.P.E.P. § 21 12; emphasis in original; and see Ex parte Levy, 17 
U.S.P.Q.2d 1461, 1464 (Bd. Pat. App. & Int'f. 1990)). Thus, the M.P.EP. and the case law 
make clear that simply because a certain result or characteristic may occur in the prior art 
does not establish the inherency of that result or characteristic. Accordingly, it is respectfully 
submitted that any anticipation rejection premised on the inherency doctrine must fail absent 
the foregoing conditions. 

In view of the law of anticipation and in view of the claimed subject matter, the 
anticipation rejections are traversed for the following reasons. 

To "support" its anticipation rejections, the Final Office Action conclusorily and 
wrongly asserts that the "manifest" language of the claims corresponds to the "program" of 
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the "Samson" reference, and also essentially and wrongly asserts that the "signature" of the 
claims is the same as the public/private key of the "Samson" reference. 

In the present specification, the term "signature" or "digital signature" is a "correct 
signature that is signed (for example, by S pk ) for information (for example, information "x"), 
and the manifest represents a function of the information and the signature. (See, e.g.. 
Specification, page 16, lines 15 to 17; page 17, lines 21 to 24). Still further, for example, at 
lines 10 to 20 of page 31 of the Specification states, for example, that the "manifests of the 
number which the signer intends to store are stored" ~ and the signer referred to is of course 
the signer of the signature. This is only a sample of the references to the terms "manifest" 
and "digital signature" or "signature" which may be found throughout the Specification. 
Nowhere is it suggested that a manifest may be a program, and that a signature may just be a 
public or private key. 

In short, the Final Office Action apparently reflects its own unrestricted and therefore 
unreasonable reading of the above-discussed terms without regard to the sense in which those 
phrases and terms are used in the specification. 

The law plainly supports the foregoing eminently reasonable interpretation of 
"manifest", "digital signature", and "signature" based on the specification. (See In re Weiss, 
26 U.S.P.Q.2d 1885, 1887 (Fed. Cir. 1993) (when interpreting a claim term or phrase, one 
must "look to the specification for the meaning ascribed to that term"; Board reversed) 
(unpublished decision); In re Okuzawa, 190 U.S.P.Q. 464, 466 (C.C.P.A. 1976) ("claims are 
not to be read in a vacuum, and limitations therein are to be interpreted in light of the 
specification in giving them their broadest reasonable interpretation"; Board reversed; 
emphasis in original) (citing In re Royka, 180 U.S.P.Q. 580, 582-83 (C.C.P.A. 1974) (claims 
are "not to be read in a vacuum and while it is true that they are to be given the broadest 
reasonable interpretation during prosecution, their terms still have to be given the meaning 
called for by the specification of which they form a part"; Board reversed; emphasis in 
original); and In re Rohrbacher, 128 U.S.P.Q. 1 17, 1 19 (C.C.P.A. 1960) (an "applicant is his 
own lexicographer and words used in his claims are to be interpreted in the sense in which 
they are used in the specification"; Board reversed)). 

That is exactly the case here since contrary to the foregoing law, the Final Office 
Action simply reflects its own unreasonable reading of "manifest", "digital signature", and 
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"signature" without regard to the sense in which those terms are used in the specification. 
This is evidenced by the Office Action reading "manifest" to cover the program of "samson", 
and "signature" or "digital signature" to cover a public or private key. 

In this regard, "Samson" only refers to an apparatus and method of disabling an 
unauthorized copy of a computer program, in which a dedicated computer program is used to 
generate a particular set of license numbers, in which a separate program embeds the license 
numbers into valid copies of the computer program, and the computer program also includes 
a section for verifying its license number. When a program is attempted to be run, the 
validation procedure verifies the license number. If the license number does not have the 
uncommon mathematical property, an error message is generated and the program exits. 
Accordingly, any review of the "Samson" reference makes plain that it simply does not in any 
way identically describe (or even suggest) the claimed subject matter, including the features 
of "manifest" and "signature", as provided for in the context of the rejected claims, as any 
Appeals Board would completely and readily agree. 

In particular, for example, claim 72 is directed to a data storing method of storing 
digital information which has a value, the data storing method is used in a system including 
an issuer apparatus issuing the digital information and a user apparatus, the method 
comprising: adding, by the issuer apparatus, a signature to the digital information; 
generating, by the issuer apparatus, a manifest corresponding to the digital information; 
generating, by the issuer apparatus, accreditation information with the signature, and 
sending the digital information with the signature and the accreditation information with 
the signature to the user apparatus, wherein the accreditation information indicates third 
parties that are trusted by the issuer apparatus and that trust the user apparatus; receiving, by 
the issuer apparatus, session information from the user apparatus, and sending information 
that includes the manifest and the session information, to the user apparatus; and verifying, 
by the user apparatus, the manifest and the session information, and storing the manifest in 
the user apparatus only when the manifest and the session information are verified. 

None of these features are in any way identically described by the "Samson" reference 
for the reasons explained above. 

Accordingly, claim 72 is allowable for the above reasons. 
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Independent claims 73 , 77 to 80, 84 and 85 include the "manifest" and "signature" 
features like that of claim 72 and are therefore allowable for essentially the same reasons as 
claim 72. 

Claims 74 to 76 depend from claim 73, and are therefore allowable for the same 
reasons as claim 73. 

Claims 81 to 83 depend from claim 80, and are therefore allowable for the same 
reasons as claim 80. 

Independent claim 86 is directed to an original data circulation method in an original 
data circulation system for storing or circulating original data which is digital information, the 
method comprising: sending, by a first apparatus, originality information to a second 
apparatus, the originality information including a fingerprint corresponding to a source 
apparatus of the original data and second information corresponding to the original data, 
and performing an authentication step of identifying and authenticating, by the second 
apparatus, the source apparatus, verifying whether the source apparatus is the same as an 
apparatus corresponding to the fingerprint, and determining that the originality 
information is valid if the source apparatus is the same as an apparatus corresponding to 
the fingerprint. It is respectfully submitted that the features corresponding to the fingerprint 
corresponding to a source apparatus of the original data are not in any way identically 
described (or even suggested) by the "Samson" reference. Indeed, none of the analysis in the 
Final Office Action even conclusorily asserts that the "Samson" reference identically 
describes these features. The Final Office Action apparently relied on the "analysis" of claim 
72 to reject the claim of 86, which recites different claim features than does claim 72. 

Accordingly, claim 86 is allowable for the above reasons. 

Claims 87 to 90 depend from claim 86 and are therefore allowable for the same 
reasons as claim 86. 

Claim 91 includes the "fingerprint" features like those of claim 86, and is therefore 
allowable for essentially the same reasons as claim 86. 

Claims 92 to 95 depend from claim 91 and are therefore allowable for the same 
reasons as claim 91. 

While the rejection of claim 96 may not be agreed with, to facilitate matters, its 
language is now more like that of claim 86, as to the "fingerprint" features. Independent 
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claim 96 as now presented is directed to an issuer apparatus in an original data circulation 
system for storing or circulating original data which is digital information, the issuer 
apparatus comprising: originality information generation means for generating originality 
information which includes a fingerprint corresponding to the issuer apparatus of the 
original data and second information corresponding to the original data; and originality 
information sending means for sending the originality information. It is respectfully 
submitted that these "fingerprint" features are not identically described (or even suggested) by 
the "Samson" reference. In fact, the Final Office Action does not even conclusorily assert or 
explain how this is so (which it is not), so that claim 96 is allowable. 

Claims 97 to 98 depend from claim 96 and are therefore allowable for the same 
reasons as claim 96. 

Claim 1 00 includes "fingerprint" features like those of claim 86, and is therefore 
allowable for essentially the same reasons as claim 86. 

Claim 101 depends from claim 100 and is therefore allowable for the same reasons as 
claim 100. 

While the rejection of claim 102 may not be agreed with, claim 102 as presented is 
directed to a collector apparatus in an original data circulation system for storing or 
circulating original data which is digital information, the collector apparatus comprising: 
identifying means for identifying a source apparatus of originality information; 
authentication means for authenticating the source apparatus; and data processing means 
for performing a process corresponding to the original data if the authentication means 
determines that the originality information which is sent to the collector apparatus is valid, 
in which the originality information includes a fingerprint corresponding to the source 
apparatus of the original data. It is respectfully submitted that the "fingerprint" features are 
not identically described (or even suggested) by the "Samson" reference, as explained above, 
so that claim 102 is allowable. 

Claim 103 depends from claim 102 and is therefore allowable for the same reasons as 
claim 102. 

While the rejection of claim 104 may not be agreed with, to facilitate matters, its 
language is now more like that of claim 86, as to the "fingerprint" features. In particular, 
claim 104 as presented is directed to an original data circulation system for storing or 
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circulating original data which is digital information, the original data circulation system 
comprising: an issuer apparatus which includes means for generating originality information 
and sending the originality information, the originality information including a fingerprint 
corresponding to the issuer apparatus of the original data and second information 
corresponding to the original data; a user apparatus which includes means for verifying 
validity of a source apparatus of the originality information and means for storing the 
originality information when the validity is verified; and a collector apparatus which 
includes means for verifying validity of a source apparatus of the originality information and 
data processing means for performing a process on the original data if the validity is 
verified. It is respectfully submitted that these features involving the "fingerprint 55 feature of 
the issuer apparatus are not identically described (or even suggested) by the "Samson 55 
reference, so that claim 104 is allowable. 

While the rejection of claim 105 may not be agreed with, to facilitate matters, its 
language is now more like that of claims 96 and 100, as to the "fingerprint 55 features, so that 
claim 105 is allowable for essentially the same reasons as these claims. 

Claims 106, 107 and 108 depend from claim 105 and are therefore allowable for the 
same reasons as claim 105. 

While the rejection may not be agreed with, to facilitate matters, claim 109 as 
presented includes "fingerprint 55 features analogous to those of claim 96, and is therefore 
allowable for essentially the same reasons as claim 96. 

Claims 110, 111 and 112 depend from claim 109 and are therefore allowable for the 
same reasons as claim 109. 

Independent claim 1 1 3 is directed to a computer readable medium storing program 
code for causing a computer in an original data circulation system to store or circulate 
original data which is digital information, the computer being used as a user apparatus, the 
computer readable medium comprising: originality information sending program code means 
for sending originality information which includes a fingerprint corresponding to a source 
apparatus of the original data and second information corresponding to the original data; 
identifying program code means for identifying the source apparatus of the originality 
information; authentication program code means for determining that the originality 
information is valid if the source apparatus is authenticated and an apparatus 
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corresponding to the fingerprint and the source apparatus are the same; and storing 
program code means for storing the originality information if the authentication program 
code means determines that the originality information is valid. As with claim 100, it is 
respectfully submitted that these "fingerprint" features are not identically described (or even 
suggested) by the "Samson" reference, so that claim 1 13 is allowable. 

Claim 114 depends from claim 113 and is therefore allowable for the same reasons as 
claim 113. 

While the rejection of claim 115 may not be agreed with, to facilitate matters, its 
language is now more like that of claim 86, as to the "fingerprint" features. Independent 
claim 1 1 5 is directed to a computer readable medium storing program code for causing a 
computer in an original data circulation system to store or circulate original data which is 
digital information, the computer being used as a collector apparatus, the computer-readable 
medium comprising: identifying program code means for identifying a source apparatus of 
originality information; authentication program code means for authenticating the source 
apparatus; and data processing program code means for performing a process 
corresponding to the original data if the authentication program code means determines that 
the originality information which is sent to the collector apparatus is valid, in which the 
originality information includes a fingerprint corresponding to the source apparatus of the 
original data. As explained above, it is respectfully submitted that these features are not 
identically described (or even suggested) by the "Samson" reference, so that claim 1 1 5 as 
presented is allowable. 

Claim 116 depends from claim 115 and is therefore allowable for the same reasons as 
claim 115. 

In summary, it is respectfully submitted that all of claims 72 to 1 16 of the present 
application are allowable at least for the foregoing reasons. 
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CONCLUSION 

In view of the foregoing, it is believed that the objections and rejections have been 
obviated, and that claims 72 to 1 1 6 are allowable. It is therefore respectfully requested that 
the objections and rejections be withdrawn, and that the present application issue as early as 
possible. 

RespectfuUy_suhinjt 
JYON & KgNYOT) 



Dated:' W/Zfrggj/ 




Aai\on^<T^fed«ch 
(Reg. No. 33,865) 

One Broadway 

New York, New York 10004 

(212)425-7200 

CUSTOMER NO. 26646 



685405 
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TITLE OF THE INVENTION 

ORIGINAL DATA CIRCULATION METHOD, SYSTEM, 
APPARATUS, AND COMPUTER READABLE MEDIUM 

5 BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention generally relates to an 
original data circulation method, system apparatus, and 
computer readable medium. More particularly, the 

10 present invention relates to providing technologies for 
storing and distributing data such as a digital ticket 
which represents a digital right, digital contents and 
the like, in which the number of valid reproductions of 
such data needs to be smaller than a defined number. 

15 2. Description of the Related Art 

Reproductions of data or a digital ticket 
which represents a digital right exceeding the number 
which the data distributor intends should be prevented. 
That is, distributed data that is reproduced by a user 

20 illegally should be prevented. 

Conventionally, such multiple use is 
prevented by technologies described in the following. 

A first method is that transfer histories of 
the original data are attached to the data and they are 

25 used to check whether the data is already used or not 
at the time of request for exercising the right. If 
the right is already used up, the service provider (or 
collector) of the data refuses accepting the right 
represented by the data. 

30 A second method is to store the data in a 

tamper-proof device such that the data cannot be 
accessed except via the tamper-proof device. When the 
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data is used up, the data is deleted from the tamper- 
proof device . 

According to the above-mentioned first 
method, a special device such as the tamper-proof 
5 device is not necessary. However, a problem comes up 
when the data is circulated. More specifically, 
validity of the data can be checked only when the right 
is exercised according to the first method. Therefore, 
there is a problem that the validity of the data can 

10 not be judged while the data is circulating. 

According to the above-mentioned second 
method, uniqueness of the data can be protected by 
using the tamper-proof device. In addition, methods 
which are described in Japanese patent application 

15 No. 6-503913 or Japanese laid-open patent application 
No. 9-511350 can be used together with the above- 
mentioned second method, in which a plurality of 
tamper-proof devices are connected via secure 
communication routes which are protected by 

20 cryptography. The data is exchanged via the 

communication routes such that the data can be 
circulated while preventing reproduction of the data. 
However, the technology has the following two problems 
since the data needs to be stored in the tamper-proof 

25 device. 

First, it becomes impossible to view the 
description of the data. Therefore, there is a 
constraint that all checks such as a check of the 
validity period of the description should be left to 
30 the tamper-proof device. 

In addition, since the tamper-proof device 
should not only have a storing part of the data but 
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also carry out all processing necessary for handling 
the data, a. large storage capacity and a high 
processing throughput are required for the tamper-proof 
device. Especially, an IC card which is generally used 
5 for the tamper-proof device does not have enough 
storage capacity or processing throughput. 

SUMMARY OF THE INVENTION 

It is an object of the present invention to 

10 provide an original data circulation method, a system, 
an apparatus and a computer readable medium in which it 
is ensured that the number of valid reproductions of 
data is maintained below a specified number. In 
addition, the tamper-proof device does not necessarily 

is perform all verifications other than the verification 
on reproducing such that processing load such as 
processing throughput or memory capacity can be 
decreased. 

The above object of the present invention is 
20 achieved by an original data circulation system for 

storing or circulating original data which is digital 
information, the system comprising: 

an apparatus including: mcano an arrangement 
for generating first information corresponding to an 
25 issuer apparatus for issuing data; means an arrangement 
for sending the first information; and means an 
arrangement for sending second information 
corresponding to the data; and 

an apparatus including: mcano an arrangement 
30 for verifying validity of the first information which 

is received; means an arrangement for verifying that an 
issuing apparatus corresponding to valid first 



MARKED UP VERSION OF 
SUBSTITUTE SPECIFICATION 



-4- 



inf ormation is valid; and mcano an arrangement for 
determining that data corresponding to the second 
information is valid when the issuer apparatus is 
valid . 

5 The first information may be, for example, 

after-mentioned H(Pkl) or the like. The second 
information may be a hash value of data or a hash value 
of data with a signature. The issuer apparatus is 
determined to be valid, for example, when the source 

10 apparatus of the first information and an apparatus 
corresponding to the first information are the same. 
Since a tamper-proof apparatus and the like performs an 
authentication process using the f irst^ information, the 
above-mentioned problem is solved and the processing 

15 load can be decreased. 

The above object of the present invention is 
also achieved by a data storing method of storing 
digital information which has a value, comprising the 
steps of : 

20 generating third information which is digital 

information with a signature signed by an issuer 
apparatus for the digital information; 

generating, by the issuer apparatus, fourth 
information, the fourth information being a manifest 
25 corresponding to the digital information; 

verifying, by an user apparatus, identity of 
the issuer apparatus by using the third information and 
the fourth inf ormat ion ; and 

preventing reproduction of the digital 
30 information . 

The fourth information may be, for example, a 
hash value of the data with the signature. The hash 
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value is the manifest which corresponds to originality 
information. The originality information is 
information which represents genuineness of the right 
of data. In other words, the originality information 
5 represents the authenticity or originality of data. 

According to the above-mentioned invention, 
data and the signature of the data are stored and a 
manifest which is information in one-to-one 
correspondence with the data and the signature. In 

10 addition, the signer who generates the signature is 
identified and it is verified that the signer is the 
same as the party which intends to store the manifest. 
Thus, the number of manifests which the signer intends 
are stored in the data storing system. 

is The data storing method may further comprise 

the steps of: 

verifying identity of the issuer apparatus by 
storing the fourth information in a tamper-proof 
device; and 

20 preventing reproduction of the digital 

information . 

Accordingly, the data can be stored in an 

apparatus other than the data storing system since the 

tamper-proof device is used. 
25 The above object of the present invention is 

also achieved by a data storing system for storing 

digital information which has a value, comprising: 
an issuer apparatus for generating third 

information which is digital information with a 
30 signature and generating the fourth information which 

is a manifest corresponding to the digital information; 

and 
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a user apparatus for verifying identity of 
the issuer apparatus by using the third information and 
the fourth information; and 

preventing reproduction of the digital 
information . 

The above object of the present invention is 
also achieved by a user apparatus for using digital 
information in a data storing system for storing 
digital information which has a value, comprising: 

a first storing moano arrangement for storing 
and extracting digital information with a signature; 

a second storing moano arrangement for 
storing and extracting a manifest corresponding to 
digital information; 

a first authentication means arrangement for 
verifying that the manifest is valid; and 

a first control moano arrangement for storing 
the manifest in the second storing moano arrangement 
only when the first authentication moano arrangement 
verifies that the manifest is valid. 

Accordingly, by determining that the data is 
valid only when the manifest corresponding to the data 
is stored in the data storing system, having valid data 
exceeding the number of manifests that exist can be 
avoided. 

The above object of the present invention is 
also achieved by an issuer apparatus for issuing 
digital information in a data storing system for 
storing digital information which has a value, the 
issuer apparatus comprising: 

an accredited information generation means 
arrangement for generating accredited information which 
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includes a set of information representing an 
accredited object trusted by the signer of the digital 
information; 

a signature means arrangement for providing a 
signature to the digital information and to the 
accredited information; 

a manifest generation means arrangement for 
generating the manifest; 
means 

an arrangement for sending the digital 
information and the accredited information to a user 
apparatus ; 
means 

an arrangement for receiving session 
information which includes a verification key of the 
user apparatus and a serial number; and 
means 

an arrangement for sending information 
including the manifest and the session information by 
using a verification key and a signature function of 
the issuer apparatus. N 

Accordingly, there is an accredited object 
trusted by the signer of the data and a signature 
signed by the issuer apparatus. It is verified that 
the signer of the manifest is included in the 
accredited objects or in the signers trusted by the 
accredited object. In addition, it is verified that 
the signer of the accredited information and the signer 
of the data are the same. Accordingly, the manifest 
can be transmitted only via a route trusted by the 
signer of the data. At the time, the tamper-proof 
capability is assured by using the tamper-proof 
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apparatus . 

The above object of the present invention is 
also achieved by a collector apparatus for exercising a 
right of digital information in a data storing system 
for storing digital information which has a value, the 
collector apparatus comprising: 
mcano 

an arrangement for receiving digital 
information with a signature of the issuer and 
accredited information with the signature from a user 
apparatus; 
means 

an arrangement for generating session 
information which has uniqueness in the data storing 
system and sending the session information to the user 
apparatus ; 
means 

an arrangement for receiving information 
including the manifest and the session information from 
the user apparatus ; and 
means 

an arrangement for verifying that the session 
information, the manifest and the accredited 
information are valid. 

Accordingly, by generating and storing the 
session information, it becomes possible to avoid the 
manifest being stored in a plurality of storing parts 
without using an encrypted route. In addition, it 
becomes possible to send a plurality of manifests to a 
storing part in parallel. 

The above-mentioned inventions will be 
described in the first embodiment in detail. In 
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addition, the following inventions will be described in 
the second embodiment in detail. 

The above object of the present invention is 
also achieved by an original data circulation method in 
5 an original data circulation system for storing or 

circulating original data which is digital information, 
the method comprising: 

a sending step of sending, by a first 
apparatus, originality information, the originality 
10 information including fifth information which 

corresponds to an apparatus and sixth information which 
is data or information corresponding to the data; and 

an identifying step of identifying, by a 
second apparatus, the source apparatus of the 
15 originality information; 

a first authentication step of determining 
that the originally information is valid when the 
source apparatus is authenticated; and 

a second authentication step of determining 
20 that the originality information is valid only when the 
source apparatus and an apparatus corresponding to the 
fifth information of the originality information are 
the same . 

The above object of the present invention is 
25 also achieved by an original data circulation system 
for storing or circulating original data which is 
digital information, the system comprising: 

a first apparatus which includes a sending 
means arrangement for sending originality information, 
30 the originality information including fifth information 
which corresponds to an apparatus and sixth information 
which is data or information corresponding to the data; 
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and 

a second apparatus which includes: 

an identifying means arrangement for 
identifying a source apparatus of the originality 
5 information; 

a first authentication means arrangement for 
determining that the originally information is valid 
when the source apparatus is authenticated; and 

a second authentication means arrangement for 
10 determining the originality information is valid only 
when the source apparatus and an apparatus 
corresponding to the fifth information of the 
originality information are the same. 

The above-mentioned originality information 
15 will be called token in the second embodiment. The 

fifth information may be, for example, a hash value of 
a verification key (public key) of an apparatus. The 
sixth information may be, for example, a hash value of 
the data. According to the above-mentioned invention, 
20 since the second authentication means arrangement 

determines that the originality information is valid 
only when the source apparatus and an apparatus 
corresponding to the first information are the same, 
the conventional problem can be solved. In addition, 
25 since it is not necessary to circulate the signature, 
the processing load can be further decreased. 

The above object of the present invention is 
also achieved by an issuer apparatus in an original 
data circulation system for storing or circulating 
30 original data which is digital information, the issuer 
apparatus comprising : 

an originality information generation means 
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arrangement for generating originality information 
which includes fifth information corresponding to the 
issuer apparatus and sixth information corresponding to 
data or information corresponding to the data; and 
5 an originality information sending mcano 

arrangement for sending the originality information. 

The above object of the present invention is 
also achieved by a user apparatus in an original data 
circulation system for storing or circulating original 

10 data which is digital information, the user apparatus 
comprising : 

an originality information sending mcano 
arrangement for sending originality information which 
includes fifth information corresponding an apparatus 

is and sixth information corresponding to data or 
information corresponding to the data; 

an identifying mcano arrangement for 
identifying a source apparatus of the originality 
information which is sent from an apparatus ; 

20 an authentication mcano arrangements for 

determining that the originality information is valid 
when the source apparatus is authenticated or when the 
apparatus corresponding to the fifth information and 
the source apparatus are the same ; and 

25 a storing mcano arrangement for storing the 

originality information when the authentication mcano 
arrangement determines that the originality information 
is valid. 

The above object of the present invention is 
30 also achieved by a collector apparatus in an original 
data circulation system for storing or circulating 
original data which is digital information, the 
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collector apparatus comprising: 

an identifying- mcano arrangement for 
identifying a source apparatus of originality 
information; 

an authentication means arrangement for 
authenticating the source apparatus; and 

a data processing mcano arrangement for 
performing a process corresponding to the data or data 
corresponding to the sixth information when the 
authentication mcano arrangement determines that the 
originality information which is sent to the collector 
apparatus is valid . 

In the present invention, since accredited 
information which represents a trusted third party may 
be used, the originality information can be circulated 
between trusted parties. 

The above object of the present invention is 
also achieved by an original data circulation system 
for storing or circulating original data which is 
digital information, the original data circulation 
system comprising : 

an issuer apparatus including: 

a first originality information generation 
mcano arrangement for generating originality 
information which includes fifth information 
corresponding to the issuer apparatus and sixth 
information corresponding to data or information 
corresponding to the data; and 

a first originality information sending mcano 
arrangement for sending the originality information; 

a user apparatus including: 

a first originality information sending mcano 
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arrangement for sending originality information which 
includes fifth information corresponding to an 
apparatus and sixth information corresponding to data 
or information corresponding to the data; 
5 a first identifying mcana arrangement for 

identifying a source apparatus of the originality 
information which is sent from an apparatus; 

a first authentication means arrangement for 
determining that the originality information is valid 
10 when the source apparatus is authenticated or when the 
apparatus corresponding to the fifth information and 
the source apparatus is the same; and 

a storing means arrangement for storing the 
originality information when the first authentication 
15 means arrangement determines that the originality 
information is valid; and 

a collector apparatus including: 
a sixth identifying means arrangement for 
identifying a source apparatus of originality 
20 information; 

a sixth authentication means arrangement for 
authenticating the source apparatus; and 

a data processing means arrangement for 
performing a process corresponding to the data or data 
25 corresponding to the sixth information when the second 
authentication means arrangement determines that the 
originality information which is sent to the collector 
apparatus is valid. 

Accordingly, it becomes possible to issue a 
30 ticket, transfer the ticket, consume and present the 
ticket in the above apparatuses . 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Other objects, features and advantages of 
the present invention will become more apparent from 
the following detailed description when read in 
5 conjunction with the accompanying drawings, in which: 

Fig.l is a diagram for describing a principle 
according to a first embodiment of the present 
invention; 

Fig. 2 is a block diagram of a data storing 
10 system according to the first embodiment of the present 
invention; 

Fig. 3 is a block diagram of an issuer 
apparatus of the data storing system according to the 
first embodiment of the present invention; 
is Fig. 4 is a block diagram of a user apparatus 

of the data storing system according to the first 
embodiment of the present invention; 

Fig. 5 is a block diagram of a collector 
apparatus of the data storing system according to the 
20 first embodiment of the present invention; 

Fig. 6 is a block diagram of a connection 
apparatus of the data storing system according to the 
first embodiment of the present invention; 

Fig. 7 is a sequence chart showing a ticket 
25 issuing process in the data storing system according to 
the first embodiment of the present invention; 

Fig. 8 is a sequence chart showing a ticket 
transferring process in the data storing system 
according to the first embodiment of the present 
30 invention; 

Fig. 9 is a sequence chart showing a ticket 
transferring process in the data storing system 
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according to the first embodiment of the present 
invention; 

Fig. 10 is a sequence chart showing a ticket 
consuming process in the data storing system according 
to the first embodiment of the present invention; 

Fig. 11 is a diagram for describing a 
principle according to a second embodiment of the 
present invention; 

Figs.l2A and 12B are block diagrams of a data 
storing system in an original data circulation system 
according to the second embodiment of the present 
invention; 

Fig. 13 is a block diagram of an issuer 
apparatus of the original data circulation system 
according to the second embodiment of the present 
invention; 

Fig. 14 is a block diagram of a user apparatus 
of the original data circulation system according to 
the second embodiment of the present invention; 

Fig. 15 is a block diagram of a collector 
apparatus of the original data circulation system 
according to the second embodiment of the present 
invention; 

Fig. 16 is a block diagram of a connection 
apparatus of the original data circulation system 
according to the second embodiment of the present 
invention; 

Fig. 17 is a sequence chart showing a ticket 
issuing process in the original data circulation system 
according to the second embodiment of the present 
invention; 

Fig. 18 is a sequence chart showing a ticket 
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transferring process in the original data circulation 
system according to the second embodiment of the 
present invent ion ; 

Fig. 19 is a sequence chart showing a ticket 
5 transferring process in the original data circulation 
system according to the second embodiment of the 
present invent ion ; 

Fig. 2 0 is a sequence chart showing a ticket 
consuming process in the original data circulation 
10 system according to the second embodiment of the 
present invention; 

Fig. 21 is a block diagram showing a 
configuration of a computer. 

15 DETAILED DESCRIPTION^ OF THE PREFERRED EMBODIMENTS 
(First Embodiment) 

First, a data storing system as an original 
data circulation system of the present invention will 
be described. 

Fig.l is a diagram for describing a principle 
of the present invention. In the data storing system of 
the present invention/ an issuer apparatus of digital 
information generates first information by adding a 
digital signature to the digital information in step 1. 
The issuer apparatus generates second information which 
is a manifest corresponding to the digital information 
and adds the second information to the first 
information in step 2 . A user apparatus checks the 
identity of the issuer apparatus by using the first 
information and the second information such that the 
unauthorized reproduction of the digital information 
can be prevented in step 3 . 



25 
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In the first embodiment, a digital ticket 
that is a digital representation of a right to claim 
services or goods, are used as an example of digital 
information to be circulated. 
5 Fig. 2 shows a block diagram of the data 

storing system. As shown in the figure, an issuer 
issues a digital ticket. Then, the user transfers the 
digital ticket to another user. When a user who 
receives the digital ticket uses the digital ticket, a 

10 verifier verifies validity of the digital ticket. 

In the figure, the issuer of the digital 
ticket has an issuer apparatus 1 and the user who 
receives the digital ticket has a user apparatus 2 . 
When issuing a digital ticket, a communication channel 

15 between the issuer apparatus 1 and the user apparatus 2 
is established via a connection apparatus 4. The 
communication channel may exist only during the period 
from the issuing start time to the issuing end time. 

When transferring the digital ticket, a 

20 communication channel is established between the user 
apparatuses 2 via the communication apparatus 4 in the 
same way as when issuing the digital ticket. Then, the 
digital ticket is transferred between the user 
apparatuses 2 . A collector of the digital tickets has 

25 a collector apparatus 3 . When collecting the digital 

tickets, a communication channel is established between 
the user apparatus 2 and the collector apparatus 3 via 
the communication apparatus 4 in the same way as when 
issuing the digital ticket. Then, the digital ticket 

30 is sent to the collector apparatus 3. 

As mentioned above, the data storing system 
of the present invention includes one or a plurality of 
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issuer apparatuses, one or a plurality of user 
apparatuses 2 and one or a plurality of collector 
apparatuses 3 which apparatuses are connected by 
connection apparatuses 4 which provide temporal 
5 communication channels. 

In the following, each of the apparatuses 
which are included in the data storing system will be 
described. Before the description, meanings of 
formulas which will be used for the description will be 

10 described. 

x || y means concatenation of x and y. H means a 
unidirectional hash function. The hash function has 
the property that determining x from y which satisfies 
y=H (x) is difficult. MD5 of RSA is known as a hash 

15 function. 

Spk is a signature function which generates a 
digital signature which can be verified by a 
verification function V Pk . The verification function 
V Pk has the property of V Pk (x || S Pk (x) ) =1 , V Pk (x || other) =0 

20 (other^ S Pk (x)). That is, the verification function 

V Pk can verify that information x has a signature signed 
by the signature function S Pk . In addition, the 
verification function V Pk can verify that the digital 
signature S Pk (x) is a correct signature signed by S Pk 

25 for x. 

Pk is a verification key and has the property 
that V Pk can be formed by providing the verification key 
Pk to a verifier V. Especially, a verification key 
Pk2 || S Pkl (Pk2) is called as a key certificate of Pk2 by 
30 Pkl. 

ESIGN of Nippon Telegraph and Telephone 
Corporation is known as a digital signature method 
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which realizes the above-mentioned S Pk and V Pk . 

Fig. 3 shows an issuer apparatus according to 
an embodiment of the present invention. 

The issuer apparatus 1 shown in the figure 
includes a control part 11, a signature part 12, a data 
generation part 13, a manifest generation part 14 and 
an accredited information generation part 15. 

The control part 11 has a verification key 
Pkl and controls the issuer apparatus 1 to circulate a 
digital ticket securely. Pkl is a verification key 
corresponding to a signature function S PkI provided m 
the signature part 12 . A detailed description on the 
control part 11 will be given later. 

The signature part 12 includes the signature 
function S PkI . Each issuer apparatus has a different 
signature function S PkI . The signature function S PkI is 
concealed by the signature part 12. 

The data generation part 13 generates data m 
on the basis of information generated in the issuer 
apparatus 1 or information given from the outside. 
According to the data storing system of the present 
invention, there is no restriction for the contents of 
the data m. Therefore, digital information 
representing rights of general tickets such as a 
concert ticket, program data, music data and image data 

can be used as the data m. 

in addition, m can be formed as. relation to 
other data or as data including relation to other data 
by obtaining H(m 0 ) in which m 0 is provided from the 
outside.' Accordingly, data amount sent to an after- 
mentioned tamper-proof device 28 can be decreased when 
issuing a digital ticket. 



MARKED UP VERSION OF 
cttpqttttTTE SPECIFICATION 




The manifest generation part 14 has the 
unidirectional hash function H and generates a manifest 
C( m , pki) =H (m || Sp k i (m) ) of data with a signature m || S Pk i 
(m) . 

5 The accredited information generation part 15 

generates accredited information t=(ti, t c ) . In the 
accredited information t=(ti, t c ) , ti=PkI, t c = H(PkCi) , 
H(PkC 2 ), »./ H(PkC n )}. Here, Pki is a verification key 
held by the control part 11, and PkCi is a verification 

10 key for verifying a signature signed by an after- 
mentioned third party which is "trusted" by the issuer. 

Fig. 4 is a user apparatus 2 according to an 
embodiment of the present invention. The user 
apparatus 2 includes a control part 21, a storing part 

15 22 and the tamper-proof device 28 which has a control 
part 23, an authentication part 24, a signature part 
25, a number generation part 26 and a storing part 27. 
The tamper-proof device 2 8 protects functions and 
contents of the parts from tampering. Even the user of 

20 the tamper-proof device 28 can not tamper with the 

tamper-proof device 28. An IC card or a server which 
is stringently managed by a third party via a network 
can be used as the tamper-proof device 28. 

The control part 21 and the control part 23 

25 in the tamper-proof device 2 8 control the user 

apparatus 2 for circulating a digital ticket securely. 
The detailed description of the control part 21 will be 
described later. 

The storing part 22 stores a set M u of data 

30 with a signature which is held by the user and a set T u 
of accredited information with a signature signed by an 
issuer. The sets can be updated by the control part 
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21 . 

The control part 23 has verification keys PkU 
and PkC, and a key certificate PkU || S P kc (PkU) . Here, 
the verification key PkU corresponds to S P ku in the 
5 signature part 25. S Pkc is a signature function 

concealed by a third party which assures security of 
the tamper-proof device 28. The third party may be an 
IC card manufacturer, a tamper-proof server 
administrator or the like. That is, tamper-proof 

10 capability of the tamper-proof device 2 8 which includes 
the signature function S P ku is assured by the third 
party which has the signature function S Pkc . A detailed 
description of the control part 23 will be given later. 
PkC is a verification key of S P kc- 

15 A storing part 22 of another user apparatus 

and/or a storing part 34 of an after-mentioned 
collector apparatus 3 can be used with the storing part 

22 or instead of the storing part 22. In such a case, 
since data m and after-mentioned accredited information 

20 (ti, t 2/ t 3 ) can be shared by the user apparatuses and 
the collector apparatuses, the data m and the 
accredited information (ti, t 2 , t 3 ) are not necessarily 
sent between the apparatuses . 

The authentication part 24 includes a 

25 verifier V. The signature part 25 includes the 

signature function S Pk u- Each of the user apparatuses 
have different S Pk u- S P ku is concealed by the signature 
part 25. 

The number generation part 2 6 stores a next 
3 0 number ru- When the number generation part 2 6 is 

required to issue a number, the number generation part 
2 6 issues a current number ru and increments r a . 
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The storing part 27 stores a set of manifests 
Cu={ci # c 2 , -»/ c n } and a set of numbers Ru={ri, r 2/ 
r m } . These sets can be updated by the control part 21. 

Fig. 5 is a block diagram of the collector 
5 apparatus 3 according to an embodiment of the present 
invention. The collector apparatus 3 includes a 
control part 31, an authentication part 32, a number 
generation part 33 and a storing part 34. 

The control part 31 has a verification key 
10 PkV and controls the collector apparatus 3 for 

circulating the digital ticket securely. The detailed 
description of the operation of the control part 31 
will be given later. 

The authentication part 32 includes a 
15 verifier V. 

The number generation part 33 stores a next 
number r v . When the number generation part 33 is 
required to issue a number, the number generation part 
33 issues a current number r v and increments r v . 
20 The storing part 34 stores a set of numbers 

Rv={ri, £"2/ »•/ **m} - The set can be updated by the 
control part 31. 

Fig. 6 is a block diagram of the connection 
apparatus 4 according to an embodiment of the present 
25 invention. 

The connection apparatus 4 includes a 
communication part 41. The communication part 41 
provides a temporal or permanent communication channel 
between the issuer apparatus 1, the user apparatus 2 
30 and the collector apparatus 3, or between the user 
apparatuses. A terminal with an IC card slot at a 
kiosk, a plurality of PCs which are connected via 
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network or the like can be used as the connection 
apparatus 4 . 

A method for circulating the digital ticket 
securely by using the above-mentioned apparatuses will 
5 be described in the following. 

Basic concepts of the circulation method are 
shown below. 

- The digital ticket is represented by data 
with a signature by an issuer m || S P )d (m) . Contents of 

10 a right which is given to an owner of the digital 

ticket by the issuer are described in m. Otherwise, m 
includes a relation to data in which contents of the 
right are described. 

- Tampering with the digital ticket can be 
15 prevented by using the signature function S P ki of the 

issuer of the digital ticket. 

- Reproduction of the digital ticket is not 
prohibited. 

- A manifest C( m , Pk i) can be generated from the 
20 digital ticket. The manifest is substantially in a 

one-to-one correspondence with the digital ticket. 

- The manifest becomes valid by being stored 
in the storing part 2 7 of the tamper-proof device 2 8 
trusted by the issuer. 

25 - The tamper-proof device trusted by the 

issuer is a device in which the tamper-proof capability 
is insured by a party trusted by the issuer. The party 
trusted by the issuer is defined by an accredited 
information ti. 

30 - A valid manifest can be newly generated 

only by the issuer of the corresponding digital ticket. 

- It is prohibited to generate one or a 
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plurality of valid manifests from a valid manifest. 
That is, the user, is prohibited from generating a 
manifest of a digital ticket which is signed by others. 

In the following, the circulation method of a 
5 digital ticket will be described for each of the cases 
of (1) Issuing a digital ticket, (2) Transferring a 
digital ticket and (3) Consuming a digital ticket. In 
the following description, communication between the 
apparatuses is carried out via the communication part 
10 41 of the connection apparatus 4. 

(1) Issuing a digital ticket 

The process for issuing a digital ticket from 
the issuer apparatus 1 to the user apparatus 2 via the 
connection apparatus 4 is shown below. Fig. 7 is a 
15 sequence chart of the process according to an 
embodiment of the present invention. 

Step 101) The control part 11 obtains m and 
Spki (m) according to the following procedure to 
generate a digital ticket m || S P ki (m) which is data with 
20 a signature. 

(a) The data generation part 13 generates data m. 

(b) m is given to the signature part 12 such that 
the signature part 12 generates Sp^i (m) . 

Step 102) The control part 11 provides the 
25 digital ticket m||s P ki (m) to the manifest generation 
part 14 such that the manifest generation part 14 
generates a manifest C( m , pkd . 

Step 103) The control part 11 obtains 
accredited information t and a signature function S P ki 
30 (t) according to the following procedure and generates 
accredited inf ormati on with a signature t || Sp^i (t) . 

(a) The accredited information generation part 15 
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generates the accredited information t. The 
configuration of t was described before. 

(b) The accredited information t is provided to 
the signature part 12 such that the signature part 12 
5 generates the signature S P ki (t) . 

Step 104) The control part 11 sends the 
digital ticket m || S P ki (m) and the accredited 
information with a signature t || S Pk i (t) to the control 
part 21. 

10 In step 101, when m which is generated by the 

data generation part 13 is a relation to other data, 
for example, m=H (m 0 ), or when m includes the relation, 
the related data (m 0 ) is sent as necessary, which is 
the same as the cases of after-mentioned transferring 

15 and consuming. 

Step 105) The control part 21 of the user 
apparatus 2 adds the digital ticket m || S Pk i (m) in the 
set Mu, adds the accredited information with the 
signature t || S Pk i (t) in the set T v and stores them in 

20 the storing part 22. 

When data related to m is sent, the relation 
is verified. If the verification fails, the process is 
interrupted and the issuer apparatus is notified of it. 
This is the same as in the case of after-mentioned 

25 transferring and consuming. 

Step 106) The control part 21 requests to 
generate session information (si, s 2 ) to the control 
part 23. 

The control part 23 generates the session 
30 information (si, s 2 ) according to the following 
procedure and sends it to the control part 21. 

(a) The control part 23 obtains a number r y 
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generated by the number generation part 26. 

(b) The number r w is added to a number set Ru in 
the storing part 27. 

(c) The session information (si, s 2 ) = (H(PkU), r a ) 
5 is generated. Here, PkU is a verification key held by 

the control part 21. 

Step 107) The control part 21 sends the 
session information (si, s 2 ) to the control part 11. 

Step 108) The control part 11 obtains a 
10 manifest issuing format ei=(ei, e 2/ e 3/ e 4 , e 5 ) by using 
Spki in the signature part 12 and the verification key 
Pkl retained by the control part 11. Each element in 
e x is shown below. 
ei=C( m , pki) 
15 e 2 =Si 
e 3 =s 2 

e 4 =S Pk i (c (m/ pki) II si || s 2 ) 
e 5 =PkI 

Step 109) The control part 11 sends the 
20 manifest issuing format e x to the control part 21. 

Step 110) The control part 21 sends the 
digital ticket m || S PK i (m) and the manifest issuing 
format ei to the control part 2 3 and requests to store 
the manifest in ei . 
25 Step 111) The control part 2 3 verifies that 

following conditions are satisfied by using the 
authentication part 24. If the verification fails, the 
process after that is interrupted and the control part 
23 notifies the control part 11 of the process 
30 interruption via the control part 21. ' 
e 2 =H(PkU) (1) 
e 3 €=Ru (2) 
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V e5 (m|| S Pk i (m) )=1 (3) 
Ve5(ei||e 2 ||e 3 ||e4) =1 (4) 
ei = H(m|| Spki (m) ) (5) 

The above-mentioned formulas (1) and (2) mean 
5 verification of validity of the session information. 
According to the verification, fraud can be prevented. 
Such fraud may be, for example, storing a manifest 
issuing format destined to other user apparatus 2 or 
reproducing a manifest by reusing the manifest issuing 
10 format. The formulas (3) and (4) mcano mean 

verification of validity of the signature of the 
manifest issuing format. According to the 
verification, the occurrence of a manifest other than 
one which is included in the manifest issuing format 
is and which has a signature signed by the issuer is 
stored can be prevented. The formula (5) means 
verification of correspondence between the manifest and 
the digital ticket. According to the verification, the 
occurrence of a manifest which does not correspond to 
20 the digital ticket, such as one corresponding to other 
digital ticket, can be prevented. 

Step 112) The control part 23 deletes e 3 (=r a 
) from the number set Ruin the storing part 27. 

Step 113) The control part 23 adds e x (=C( m , 
25 pki) ) to a manifest set C v in the storing part 27. 

Step 114) The control part 23 sends ei to the 
control part 21 to notify of a normal end. 

(2) Transferring a digital ticket 
The digital ticket transferring process from 
30 the user apparatus 2a to the user apparatus 2b via the 
connection apparatus 4 will be described in the 
following . 
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Fig.8 and Fig. 9 are sequence charts showing 
the digital ticket transferring process according to an 
embodiment of the present invention. 

Step 201) The control part 21a extracts the 
digital ticket m || S Pk i (m) which is an object to be 
transferred from a set M Ua of data with a signature 
retained by the storing part 22a. 

Step 202) The control part 21a extracts the 
accredited information t || S P ki (t) with a signature by 
the issuer of m || S Pk i (m) from T Ua included in the 
storing part 22a. 

Step 203) The control part 21a sends m || S PkI 
(m) and t || S Pk i (t) to the control part 21b. 

Step 2 04) The control part 21b stores m || S Pk i 
(m) in a set Mub of data with the signature in the 
storing part 22b and stores t || S PkI (t) in an accredited 
information set Tub in the storing part 22b. 

Step 205) The control part 21b requests the 
control part 23b to generate session information (si, 
s 2 ) . 

The control part 23b generates the session 
information (si, s 2 ) according to the following 
procedure and sends it to the control part 21b. 

(a) The control part 23 obtains a number rub 
generated by the number generation part 26b. 

(b) The number r^ is added to a number set Rub in 
the storing part 27b. 

(c) The session information (si, s 2 ) = (H (PkUb) , r^ 
) is generated. Here, PkUb is a verification key held 
by the control part 2 lb . 

Step 2 06) The control part 21b sends the 
session information (si, s 2 ) to the control part 21a. 
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Step 207) The control part 21a sends (si, s 2 ) 
and a hash value H(m||s Pk i (m) ) of the digital ticket to 
be transferred to the control part 23a. 

Step 208) The control part 23a verifies that 
5 following formula is satisfied for a set of manifest 
C Ua of manifests which is stored in the storing part 
27a. 

H(m|| S PkI (m) ) €=c Ua (6) 
When the verification fails , the process 
10 after that is interrupted and the control part 21a is 
notified of the failure. 

The above formula (6) means verification that 
the manifest c< m , PkI) =H (m || S Pk i (m) ) which corresponds to 
the digital ticket to be transferred is stored in the 
15 storing part 27a. 

Step 209) The control part 23a obtains a 
manifest sending format e c =(ei, e 2 , e 3/ e 4/ e 5/ e 6 , e 7 ) 
by using S PkUa which is included in the signature part 
25a and verification keys PkUa, PkCa, and a key 
20 certificate PkUa || S PkCa (PkUa) which are included in the 
control part 11. Each element of e c is shown below. 

ei = C ( m , Pk i) 

e 2 =si 
e 3 =s 2 

25 e 4 = S Pk ua(C(Tn, Pk i) || Si || S 2 ) 

e 5 = PkUa 

e 6 = Sp k ca (PkUa) 

e 7 = PkCa 

Step 210) The control part 23a deletes c (m , 
30 Pk i) from the set C Ua of manifest. 

Step 211) The control part 23a sends e c to 
the control part 21a. 
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Step 212) The control part 21a sends e c to 
the control part 21b. The control part 21b verifies e x 
in the sent e c whether ei=H (m || S PkI (m) ) is satisfied. 

Step 213) The control part 21b sends e c/ 
5 t || Spki (t) and m || Spki (m) to the control part 23b and 
requests to store the manifest in e c . 

Step 214) The control part 23b verifies that 
all formulas below are satisfied by using the an 
authentication part 24b. If the verification fails, 
10 the process is interrupted and the control part 21b is 
notified of the interruption. 



e 2 = H(PkUb) 


(7) 


e 3 e Rub 


(8) 


V e5 (e x || e 2 || e 3 || e 4 , e 5 ) = 1 


(9) 


Ve 7 (e 5 ||e 6 ) =1 


(10) 


H(e7)<= t c 


(ID 


V t i (m || S PkI (m) ) = 1 


(12) 


V tI (t||s Pk i (t)) = 1 


(13) 



The above formulas (7) and (8) mean 
20 verification of validity of the session information. 
Using the verification, fraud such as storing a 
manifest sending format on another user apparatus, 
reproducing a manifest by reusing the manifest sending 
format or the like is prevented. 
25 The formula (9) means verification for 

identifying the signer of the manifest sending format. 
The formula (10) means verification of the key 
certificate of the signer. The formula (11) means 
verification that the signer of the key certificate is 
30 trusted by the issuer as an accredited object in the 
accredited information. According to the above 
verification, it is verified that the tamper-proof 
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capability of the source of the manifest sending format 
is assured by a party trusted by the issuer. 

The formulas (12) and (13) mean verification 
of validity of the signature signed on the accredited 
5 information. According to the verification, it is 
verified that the accredited information is properly 
signed by the signer of the digital ticket. 

Step- 215) The control part 23b deletes e 3 (= 
r^) from the number set Rub in the storing part 27b. 
10 Step 216) The control part 23b adds e x (=c (m , 

pki) ) to the manifest set Cub in the storing part 27b. 

Step 217) The control part 23b notifies the 
control part 21b of the normal completion of the 
process. 

is (3) Consuming the digital ticket 

The digital ticket consuming process from the 
user apparatus 2 to the collector apparatus 3 via the 
connection apparatus 4 will be described in the 
following . 

20 Fig. 10 is a sequence chart of the ticket 

consuming process according to an embodiment of the 

present invention. 

Step 301) The control part 21 extracts a 

digital ticket m || S P ki (m) to be consumed from the 
25 signed data set Mu which is included in the storing 

part 22. 

Step 302) The control part 21 extracts the 
accredited information t||s PkI (t) signed by the issuer 
of m || Spki (m) from the signed accredited information 
30 set Tu included in the storing part 22. 

Step 303) The control part 21 sends m || S P ki 
(m) and t || S PkI (t) to the control part 31. 
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Step 3 04) The control part 31 generates 
session information (s i7 s 2 ) according to the following 
procedure . 

(a) The control part 23 obtains a number r v from 
5 the number generation part 33. 

(b) The number r v is added to a number set R v in 
the storing part 34. 

(c) The session information (si, s 2 ) = (H(PkV), r v ) 
is generated. Here, PkV is a verification key held by 

10 the control part 31. 

Step 3 05) The control part 31 sends the 
session information (s l7 s 2 ) to the control part 21. 

Step 306) The control part 21 sends (si, s 2 ) 
and a hash value H (m || S Pk i (m) ) of the digital ticket to 
15 be consumed to the control part 23. 

Step 307) The control part 23 verifies that a 
following formula is satisfied for a set of manifests 
Cu which is stored in the storing part 27. 
H(m|| S PkI (m) ) eCu (15) 
20 When the verification fails, the process 

after that is interrupted and the control part 21 is 
notified of the failure. 

The above formula (15) means verification 
that the manifest c< m , Pki) =H (m || S PkI (m) ) which 
25 corresponds to the digital ticket to be consumed is 
stored in the storing part 27. 

Step 308) The control part 23 obtains a 
manifest sending format e c =(ei, e 2 , e 3 , e 4/ e 5 , e 6 , e 7 ) 
by using the signature function S Pku which is included 
30 in the signature part 25 and verification keys PkU, 
PkC, and a key certificate PkU || S Pkc (PkU) which are 
included in the control part 21. Each element of e c is 
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shown below. 

ei = C( m , pkl) 

e 2 =si 
e 3 =s 2 

5 e 4 = Spku(c (mf PkI ) || Si || s 2 ) 

e 5 = PkU 
e 6 = S Pkc (PkU) 
e 7 = PkC 

Step 309) The control part 23 deletes c (m , Pk i) 
10 from the manifest set C y . 

Step 310) The control part 23 sends e c to the 
control part 21. 

Step 311) The control part 21 sends e c to the 
control part 31. 
15 Step 312) The control part 31 verifies that 

all formulas below are satisfied by using the 
authentication part 32. If the verification fails, the 
process is interrupted and the control part 21 is 
notified of the interruption. 



e 2 = H(PkV) 




(16) 


e 3 e R v 




(17) 


V e5 (eil| e 2 || 


e 3 ||e 4 , e 5 ) = 1 


(18) 


V e7 (e 5 II e 6 ) 


= 1 


(19) 


H(e 7 ) et c 




(20) 


V t i (m|| Sp k i 


(m) ) = 1 


(21) 


V t i(t II S PkI 


(t) ) = 1 


(22) 



The above formulas (16) and (17) mean 
verification of validity of the session information. 
Using the verification, fraud such as storing a 
30 manifest sending format on another collector apparatus, 
reproducing a manifest by reusing the manifest sending 
format or the like is prevented . 
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The formula (18) means verification for 
identifying the signer of the manifest sending format. 
The formula (19) means verification of the key 
certificate of the signer. The formula (20) means 
5 verification that the signer of the key certificate is 
trusted by the issuer as an accredited object in the 
accredited information. According to the above 
verification, it is verified that the tamper-proof 
capability of the source of the manifest sending format 
10 is assured by a party trusted by the issuer. 

The formulas (21) and (22) mean verification 
of the validity of the signature for the accredited 
information. According to the verification, it is 
verified that the accredited information is properly 
15 signed by the signer of the digital ticket. 

Step 313) The control part 31 deletes e 3 (= 
r v ) from R v in the storing part 34 . 

Step 314) The control part 31 verifies that 
all formulas below are satisfied. If the verification 
20 fails, the control part 21 is notified of process 

interruption. If the verification succeeds, a service 
corresponding to m is provided to the consumer, 
ei - H(m|| S PKI (m) ) (23) 
The above formula (23) means verification 
25 that a manifest corresponding to the consumed digital 
ticket has been sent. According to the verification, 
it is verified that a valid digital ticket has been 
consumed . 

Each element of the issuer apparatus 1, the 
30 user apparatus 2 or the collector apparatus 3 can be 

constructed by a program. The program can be stored in 
a disk unit connected to a computer which may be used 
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as the issuer apparatus, the user apparatus or the 
collector apparatus. The program can be also stored in 
a transportable computer readable medium such as a 
floppy disk, a CD-ROM or the like. The program may be 
5 installed from the computer readable medium to a 

computer such that the present invention is realized by 
the computer . 

As mentioned above, according to the first 
embodiment of the present invention, since only 

10 manifests of the number which the signer intends to 
store are stored in the manifest storing part in the 
data storing system, the occurrence of a manifest newly 
stored by a person other than the signer can be 
prevented. In addition, it can be prevented that valid 

is data exceeding the number of the manifests may exist. 
Further, it becomes possible that the manifests can be 
transmitted only via routes which are trusted by the 
signer. 

By using the digital ticket as data in the 
20 data storing system of the present invention, the 

number of valid reproductions of the digital ticket can 
be maintained at less than a constant number without 
storing the digital tickets in the tamper-proof device. 

In addition, by using a program as data of 
25 the present invention and by using the manifest as a 

license of the program, illegal copying and use of the 
program can be prevented. 

Further, by using music data or image data as 
data of the present invention, illegal copying and use 
30 of the music data or image data can be prevented. 

Furthermore, by "consuming" ((3) in the embodiment) the 
data each time when the data is used, the system of the 
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present invention can be used for billing per use in a 
billing system (for example, a pay per view billing 
system) . 

(Second Embodiment ) 
5 In the following, a second embodiment of the 

present invention will be described. 

According to the above mentioned first 
embodiment, only data which represents originality 
(manifest) is stored in the tamper-proof apparatus and 

10 it is ensured that the number of valid reproductions of 
data is maintained below a pre -set constant number. 
Therefore, the tamper-proof device does not necessarily 
perform verifications other than the verification on 
reproducing. The verifications include a verification 

15 of validity of description. Thus, processing load such 
as processing speed and memory capacity can be 
decreased. The above-mentioned invention has 
remarkable effects in comparison with the conventional 
technology. However, there are two main problems 

20 described below as to the matter of practicality. 

First, when generating the data representing 
originality or authenticity or genuineness, it is 
necessary to send data and the signature to the tamper- 
proof device in order to verify the data and the 

25 signature. On the other hand, the transmitting speed 
of an IC card is about 9600 bps (ISO-7816) , which is 
relatively low. Therefore, when the size of the data 
is large, the time for generating the data representing 
originality may be remarkably increased. 

30 In addition, according to the above-mentioned 

first embodiment, the data representing originality is 
generated from data and the signature, and it is 
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necessary to verify the data representing originality 
by using the data and the signature when consuming the 
data. Therefore, it becomes necessary to circulate not 
only the data but also the signature. Therefore, the 
5 memory capacity necessary for the system and the 
processing time for circulation may be increased. 

In the second embodiment, an original data 
circulation system will be described. According to the 
system, the processing load for generating data 
10 representing originality (which will be called a token) 
and circulating the data is decreased. 

Fig. 11 is a block diagram for explaining the 
principle of the second embodiment of the present 
invention. 

15 , The original data circulation for storing and 

circulating original data which is digital information 
includes an issuer apparatus 50, a user apparatus 60 
and a collector apparatus 70. 

The issuer apparatus includes a first 

20 originality information generation part 51, and a first 
originality information sending part 52. The first 
originality information generation part 51 generates 
originality information. The first originality 
information sending part 52 sends the originality 

25 information. Here, the originality information is 

information which represents genuineness of the right 
of issued data. In other words, the originality 
information represents the authenticity or originality 
of issued data. 

30 The user apparatus 60 includes a second 

originality information sending part 61 /a first 
identifying part 62, a first authentication part 63 and 
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a storing part 64 . 

The second originality information sending 
part 61 receives originality information which is 
formed by fifth information corresponding to an 
5 apparatus and by sixth information which is data or 
which corresponds to the data. The first identifying 
part 62 identifies a source apparatus of the 
originality information when the originality 
information is received from another apparatus. When 

10 the source apparatus is authenticated, the first 

authentication part 63 determines that the originality 
information is valid only when the source apparatus and 
information corresponding to first information of the 
originality information are the same. The storing part 

15 64 stores the originality information when the 

originality information is determined as valid by the 
first authentication part 63. 

The collector apparatus 70 includes a second 
identifying part 71 , a second authentication part 72 

20 and a data processing part 73. 

The second identifying part 71 identifies a 

source apparatus which sends originality information. 

* 

The second authentication part 72 authenticates the 

source apparatus. The data processing part 73 carries 
25 out processing for the originality information data or 

data corresponding to the second information. 

Figs.l2A and 12B show the configurations of 

the data storing system in the original data 

circulation system. 
30 In the figure, the issuer of the digital 

ticket has an issuer apparatus 100 and the user who 

receives the digital ticket has a user apparatus 200. 
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When issuing a digital ticket, a communication channel 
between the issuer apparatus 100 and the user apparatus 
200 is established via a connection apparatus 400. The 
issuer apparatus 100 sends the digital ticket which is 
5 validated in the issuer apparatus 100 to the user 
apparatus 20 0. 

The above-mentioned apparatuses can be 
configured as shown in Figs . 12A and 12B. Fig.l2A shows 
a representative configuration when an IC card is used 

10 for the user apparatus 2 00 and an IC card reader is 

used for the connection apparatus 400. Fig.l2B shows a 
representative configuration when a tamper-proof device 
such as an IC card or a PC which is kept in a safe 
place is used as the user apparatus and a network is 

15 used for the connection apparatus 400. The 

configurations shown in Figs.l2A and 12B can be mixed. 

The above-mentioned communication channel may- 
exist only during the period from the issuing start 
time to the issuing end time, which applies to the 

20 cases of "transferring" , "consuming" and "presenting" . 

When transferring the digital ticket, a 
communication channel is established between the user 
apparatuses 2 00 via the communication apparatus 40 0 in 
the same way as when issuing the digital ticket. Then, 

25 the digital ticket is transferred between the user 
apparatuses 200 . 

A collector of the digital tickets has a 
collector apparatus 300. When consuming the digital 
tickets, a communication channel is established between 

30 the user apparatus 2 00 and the collector apparatus 3 00 
via the communication apparatus 4 00 in the same way as 
when issuing the digital ticket. Then, a valid digital 
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ticket is transferred to the collector apparatus 300. 

When presenting the digital tickets, a 
communication channel is established between the user 
apparatuses 2 00 or between the user apparatus 20 0 and 
5 the collector apparatus 300 via the communication 

apparatus 40 0 such that the user apparatus 2 00 presents 
a certificate that the user apparatus 200 has a valid 
digital ticket to another user apparatus or to the 
collector apparatus 300. 
10 As mentioned above, the data storing system 

of the present invention includes one or a plurality of 
issuer apparatuses 100, one or a plurality of user 
apparatuses 200 and one or a plurality of collector 
apparatuses 3 00 which apparatuses are connected by 
15 connection apparatuses 4 00 which provide temporal 
communication channels . 

In the following, the embodiment of the 
present invention will be described with reference to 
figures . 

20 Each apparatus which forms the above- 

mentioned data storing system will be described by 
using Figs. 13-16. The meaning of formulas used for 
descriptions below are almost the same as those used in 
the first embodiment. Especially, a combination (Pk2, 

25 Spki(Pk2)) of a digital signature S Pkl (Pk2) of Pk2 by a 
verification key Pk2 and S P ki is called as a key 
certificate of Pk2 by Pkl . H(Pk) is called as a hash 
value of Pk. 

Fig. 13 shows an issuer apparatus according to 

30 an embodiment of the present invention. 

The issuer apparatus 100 shown in the figure 
includes a control part 110, a signature part 120, a 
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data generation part 130, a token generation part 140 
and an accredited information generation part 150. 

The control part 110 has a verification key 
Pkl and enables the issuer apparatus 100 to circulate a 
5 digital ticket securely. Pkl is a verification key 
corresponding to a signature function S PkI provided in 
the signature part 120. The hash value of it H(Pkl) is 
used as an identifier for identifying the issuer. A 
detailed description of the control part 110 will be 

10 given later. 

The signature part 12 0 includes a signature 
function S P ki. Sp^i is different for each issuer 
apparatus 100 and concealed by ^he signature part 120. 

The data generation part 13 0 generates data m 

15 on the basis of information generated in the issuer 
apparatus 100 or information given from outside. 
According to the data storing system of the present 
invention, there is no restriction on the contents of 
the data m. Therefore, digital information 

20 representing rights of general tickets such as a 

concert ticket, program data, music data and image data 
can be used as the data m. 

The token generation part 14 0 has the 
unidirectional hash function H and generates a token 

25 (ci; c 2 ) =(H(m), H(Pkl)) from data m and a verification 
key Pkl . c 2 is token issuer information which is a 
hash value that identifies the issuer of the token. 
Hash of data m is used as Ci here; however, an 
identifier for identifying m can also be used as c x . 

30 The accredited information generation part 

150 generates accredited information (ti, t 2 , t 3 ) . (ti, 
t 2 , t 3 ) that can be formed as shown below by using the 
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signature part 12 0. 

t x = {HCPkAi), H(PkA 2 ), H(PkA n )} 
t 2 = Sp k i(H(PkA 1 ) ||H(PkA 2 ) || ... ||H(PkA n ) ) 
t 3 = Pkl 

5 Here, H(PkAi) is a hash value for identifying 

an after-mentioned third party who is "trusted" by the 
issuer . 

The accredited information can also be formed 
(t'l, t' 2/ t' 3/ t' 4 ) as shown below. 
10 t' x = {HfPkAi), H(PkA 2 ), H(PkA n )} 

t' 2 =H(m) 

t' 3 = S PkI (H(PkAx) ||H(PkA 2 ) || ...||H(PkA n ) || H (m) ) 

t' 4 -PkI 

In this case, H(PkAi) is a hash value for 
15 identifying a third party trusted by the issuer for 
circulating data m. 

In addition, a third party may issue 
accredited information such that the above-mentioned 
accredited information can be constructed recursively. 
20 Further, the accredited information may be 

stored beforehand in a control part of the tamper-proof 
device of the user apparatus or a control part of the 
collector apparatus instead of being generated by each 
issuer. In this case, the signature is not necessary 
25 and the accredited information can be constituted as 
(t"i , t" 2 ) or only t" x as shown below. 
t"!= {H (PkAi) , H(PkA 2 ), H(PkA n )} 
t" 2 =H(m) 

In such a case, H(PkAi) is a hash value for 
30 identifying a third party trusted by a third party 

which made the control part for circulating the data m. 

In the following, the accredited information 
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is assumed as (ti, t 2 , t 3 ) . However, any of the above- 
mentioned accredited information can be used. 

Fig. 14 is a user apparatus 200 according to 
an embodiment of the present invention. 
5 The user apparatus 2 00 includes a control 

part 210, a storing part 220 and the tamper-proof 
device 2 80 which has a control part 23 0, an 
authentication part 240, a signature part 250, a number 
generation part 260 and a storing part 270. The 

io tamper-proof device 280 protects functions and contents 
of each part from tampering. Even the user of the 
tamper-proof device 280 can not tamper with the tamper- 
proof device 280. An IC card or a server which is 
stringently managed by a third party via a network can 

15 be used as the tamper-proof device 280. 

The control part 210 includes issuer 
information I u = {fKPklx), H(PkI 2 ), H(PkI n )}. The 
control part 210 and the control part 23 0 in the 
tamper-proof device 280 control the user apparatus 2 00 

20 for circulating a digital ticket securely. I u is a set 
representing an issuer trusted by a user and can be 
updated by the user at any time. The control part 210 
determines that only the token issued by an issuer 
included in I u is valid. The detailed description of 

25 the control part 210 will be described later. 

In addition, Iu can be realized as Iu(nii 
)={H(PkIi X ), H(PkI i2 ), H(PkIi n )}. That is, sets of 

issuer information are managed from one data to another 
data . 

30 The storing part 22 0 stores a set M u of data 

which is held by a user and a set T u of accredited 
information. The sets can be updated by the control 
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part 210. 

The control part 230 has verification keys 
PkU, PkA, and a key certificate (PkU, S PkA (PkU)). The 
control part 23 0 controls the user apparatus for 
5 circulating the digital ticket securely. Here, the 
verification key PkU corresponds to S Pk u in the 
signature part 250. Hash data of it H(PkU) is used as 
an identifier for identifying the user apparatus. S PkA 
is a signature function concealed by a third party 

10 which assures safety of the tamper-proof device 280. 
The third party may be an IC card manufacturer, a 
tamper-proof server administrator or the like. That 
is, tamper-proof capability of the tamper-proof device 
280 which includes the signature function S P ku is 

15 assured by the third party who has the signature 

function S PkA . A detailed description of the control 
part 230 will be given later. PkA is a verification 
key of S PkA . 

The authentication part 240 includes a 

20 verifier V. 

The signature part 250 includes the signature 
function S Pku . Each of the user apparatuses have 
different S P ku- Spku ^ s concealed by the signature part 
250 . 

25 The number generation part 260 stores a next 

number r a . When the number generation part 260 is 
required to issue a number, the number generation part 
2 60 issues a current number r v and increments r D . Here, 
ru is a positive number. 

30 The storing part 270 stores a set of tokens 

Cu and a set of numbers Ru- These sets can be updated 
by the control part 230. 
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Fig. 15 is a block diagram of the collector 
apparatus according to an embodiment of the present 
invention. The collector apparatus 300 includes a 
control part 310, an authentication part 320, a number 
5 generation part 330 and a storing part 340. 

The control part 310 has a verification key 
PkE and issuer information I E = {H(Pkli) , H(PkI 2 ) , 
H(PkI n )}, and controls the collector apparatus 300 for 
circulating the digital ticket securely. I E is a set 

10 representing an issuer trusted by the collector and can 
be updated by the issuer at any time. The control part 
310 determines that only the token issued by an issuer 
included in I E is valid and provides a service for 
consumption of only the digital ticket with the valid 

15 token. The detailed description of the operation of 
the control part 310 will be given later. 

In addition, in the same way as I y in the 
control part 210, I B can be realized as I E (mi 
)={H(PkIii), H(PkI i2 ), H(PkIi n )}. That is, sets of 

20 issuer information are managed from one data to another 
data . 

The authentication part 32 0 includes a 
verifier V. 

The number generation part 33 0 stores a next 
25 number r E . When the number generation part 330 is 

required to issue a number, the number generation part 
330 issues a current number r E and increments r E . r E is 
a positive number. 

The storing part 34 0 stores a set of numbers 
30 R E - The set can be updated by the control part 310. 

Fig. 16 is a block diagram of the connection 
apparatus 400 according to an embodiment of the present 
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invention . 

The connection apparatus 4 00 includes a 
communication part 410. The communication part 410 
provides a temporal or permanent communication channel 
5 between the issuer apparatus 100, the user apparatus 
200 and the collector apparatus 300, or between the 
user apparatuses. A terminal with an IC card slot at a 
kiosk, a plurality of PCs which are connected via 
network or the like can be used as the connection 
10 apparatus 4 00. 

A method for circulating the digital ticket 
securely by using the above-mentioned apparatuses will 
be described in the following. 

In the following, the circulation method of a 
15 digital ticket will be described for each of the cases 
of (1) Issuing a digital ticket, (2) Transferring a 
digital ticket and (3) Consuming a digital ticket. In 
the following description, communication between the 
apparatuses is carried out via the communication part 
20 410 in the connection apparatus 400. 

(1) Issuing a digital ticket 
Fig. 17 is a sequence chart of the process 
according to an embodiment of the present invention. 
In the figure, the connection apparatus 400 existing 
25 between the issuer apparatus 100 and the user apparatus 
2 00 is not shown. 

Step 1101) The control part 110 of the 
issuer apparatus 100 obtains data m from the data 
generation part 130. The data m is the digital ticket 
30 describing right information. 

Step 1102) The control part 110 of the issuer 
apparatus 10 0 provides the data m and Pkl to the token 
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generation part 14 0 such that the token generation part 
140 generates a token (ci, c 2 ) =(11(111), H(Pkl)). 

Step 1103) The control part 110 obtains 
accredited information (t lr t 2 , t 3 ) from the accredited 
5 information generation part 150. The configuration of 
the accredited information is shown before. 

Step 1104) The control part 110 sends m and 
(ti, t 2 , t 3 ) to the control part 210 in the user 
apparatus 2 00. 

10 Step 1105) The control part 210 of the user 

apparatus 200 adds m in Mu of the storing part 220, 
adds (ti, t 2 , t 3 ) in Tu of the storing part 22 0 and 
stores them in the storing part 220. 

Step 1106) The control part 210 requests 

15 control part 230 to generate session information (si, 
s 2 ) . 

The control part 230 generates the session 
information (si, s 2 ) according to the following 
procedure and sends it to the control part 210. 
20 (a) The control part 230 obtains a number ru 

generated by the number generation part 2 60 in the 
tamper-proof device 280. 

(b) The number ru is added to a number set Ru in 
the storing part 270. 
25 (c) The session information (si, s 2 ) = (H(PkU), r D ) 

is generated. Here, PkU is a verification key held by 
the control part 210. 

Step 1107) The control part 210 sends the 
session information (si, s 2 ) to the control part 110 of 
30 the issuer apparatus 100. 

Step 1108) The control part 110 of the issuer 
apparatus 100 obtains a token exchange format e=(e x , 
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e 2 , e 3/ e 4/ e 5/ e 6/ e 7 , e 8 ) by using S Pk i in the signature 
part 12 0 and the verification key Pkl retained by the 
control part 110. Each element in e is shown below. 
When issuing the digital ticket, since e 7 and e 8 are 
5 dummy data, each of e 7 and e 8 can take any value. 

e 2 = c 2 
e 3 = s x 
e 4 = s 2 

io e 5 = S PkI (ci || c 2 || c 3 II c 4 ) 

e 6 = Pkl 
e 7 = any 
e 8 = any 

Step 1109) The control part 110 sends e to 
15 the control part 210 of the user apparatus 200. 

Step 1110) The control part 210 sends e to 
the control part 230 and requests control part 230 to 
store the token in e . 

Step 1111) The control part 23 0 in the 
20 tamper-proof device 280 verifies that following 

formulas are satisfied by using the authentication part 
240. If the verification fails, the process after that 
is interrupted and the control part 230 notifies the 
control part 110 in the issuer device 100 of the 
25 process interruption via the control part 210. 
e 3 =H(PkU) (1) 
e 4 e=Ru (2) 
Ve6(e x || e 2 || e 3 || e 4 , e 5 ) =1 (3) 
e 2 = H(e 6 ) (4) 
30 The above-mentioned formulas (1) and (2) mean 

verification of validity of the session information. 
Using the verification, fraud can be prevented. Such 
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frauci may be, for example, storing a token exchange 
format in an other user apparatus 2 00 or reproducing a 
token by reusing the token exchange format . 

The formula (3) means verification of 
5 validity of the signature of the token exchange format. 
According to the verification, tampering with the token 
exchange format can be prevented. 

The formula (4) means verification of the 
validity of the token issuer information. According to 
10 the verification, storing token issued by an issuer 
other than the signer of the token can be prevented. 

Step 1112) The control part 230 in the 
tamper-proof device 280 of the user apparatus 2 00 
deletes e 4 (=ru ) from the number set Ruin the storing 
15 part 270. 

Step 1113) The control part 230 adds (e 1# e 2 ) 
to Cu in the storing part 270. 

Step 1114) The control part 230 sends (ei, 
e 2 ) to the control part 210 to notify of a normal end. 
20 Step 1115) The control part 210 verifies that 

following formulas are satisfied. If the verification 
fails, the process is interrupted and the control part 
230 notifies the control part 110 in the issuer 
apparatus 10 0 of the process interruption. 
25 ei=H(m) (5) 

e 2 GIu (6) 

The formulas (5) and (6) mean verification 
that the sent token corresponds to the subject digital 
ticket and was issued by a proper issuer. According to 
30 the verification, it is verified that the issued ticket 
is valid. 

(2) Transferring a digital ticket 
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The digital ticket transferring process from 
the user apparatus 200a to the user apparatus 200b via 
the connection apparatus 400 will be described in the 
following . 

5 Fig. 18 and Fig. 19 are sequence charts showing 

the digital ticket transferring process according to an 
embodiment of the present invention. In the figures, 
the connection apparatus 400 existing between the two 
user apparatuses 2 0 0a and 2 0 0b is not shown. u a" is 

10 added to the name of each element of the user apparatus 
200a and "b" is added to the name of each element of 
the user apparatus 2 0 0b. 

Step 2201) The control part 210a extracts the 
digital ticket m which is an object to be transferred 

15 from a set M Ua retained by the storing part 220a. 

Step 2202) The control part 210a of the user 
apparatus 200a extracts the accredited information (t X/ 
t2/ t 3 ) generated by the issuer of m from T Ua included 
in the storing part 220a. 

20 Step 2203) The control part 210a sends m and 

(t X/ t 2/ t 3 ) to the control part 210b of the user 
apparatus 2 0 0b. 

Step 2204) The control part 210b stores m in 
a set Mub in the storing part 220b and stores (t X/ t 2/ 

25 t 3 ) in an accredited information set Tub in the storing 
part 220b. 

Step 2205) The control part 210b requests to 
generate session information (si, s 2 ) to the control 
part 230b in the tamper-proof device 280b. 
30 The control part 23 0b generates the session 

information (si, s 2 ) according to the following 
procedure and sends it to the control part 210b . 
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(a) The control part 2 3 0b obtains a number rut, 
generated by the number generation part 260b in the 
tamper-proof device 280b. 

(b) The number r^ is added to a number set in 
5 the storing part 270b in the tamper-proof device 280b. 

(c) The session information (sx, s 2 ) = (H (PkUb) , rub 
) is generated. Here, PkUb is a verification key held 
by the control part 210b. . 

Step 2206) The control part 210b sends the 
10 session information (si, s 2 ) to the control part 210a 

of the user apparatus 200. In addition, issuer 

information Iub may be sent with the session information 

(si, s 2 ) . By providing notification of the issuer 

information beforehand, generating and sending a token 
15 exchange format which does not satisfy formula (16) or 

(26) can be prevented. 

Step 2207) The control part 210a sends (si, 

s 2 ) and a hash value H (m) of the digital ticket to be 

transferred to the control part 2 3 0a. 
20 Step 22 08) The control part 23 0a in the 

tamper-proof device 280a verifies that following 

formulas are satisfied for C Ua which is stored in the 

storing part 2 7 0a. 

3c 2 ((H(m), c 2 )ec Ua ), ^eiub (7) 
25 When and if the verification fails, the 

process after that is interrupted and the control part 

210a is notified of the failure. 

The above formula (7) means verification that 

the token (H(m), c 2 ) which corresponds to the digital 
30 ticket m to be transferred is stored in the storing 

part 2 7 0a. 

Step 2209) The control part 230a of the 
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tamper-proof device 2 8 0a obtains a token exchange 
format e=(ei, e 2/ e 3/ e 4/ e 5 , e 6 , e 7 , e 8 ) by using S PkUa 
which is included in the signature part 2 50a and 
verification keys PkUa, PkAa, and a key certificate 
5 (PkUa, SpkAa (PkUa) ) which is included in the control 

part 210a of the user apparatus 200a. Each element of 
e is shown below. 

e x =H (m) 

e 2 =c 2 
10 e 3 =si 

e 4 =s 2 

e 5 = S PkUa (H (m) || c 2 || Si || s 2 ) 
e 6 = PkUa 
e 7 = S PkAa (PkUa) 
15 e 8 = PkAa 

Step 2210) The control part 23 0a deletes 
(H(m), c 2 ) from the set C Ua if s 2 is positive. 

Step 2211) The control part 230a sends e to 
the control part 210a. 
20 Step 2212) The control part 210a sends e to 

the control part 210b of the user apparatus 200b. 

Step 2213) The control part 210b sends e and 
the accredited information t to the control part 23 0b 
in the tamper-proof device 280b. The control part 210b 
25 requests to store the token in e. 

Step 2214) The control part 230b verifies 
that all formulas below are satisfied by using thie an 
authentication part 240b. If the verification fails, 
the process is interrupted and the control part 210b is 
30 notified of the interruption. 

e 3 = H(PkUb) (8) 
e 4 ^ Rub (9) 
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V e6 (ei II e 2 II e 3 II e 4/ e 5 ) = 1 
V e8 (e 6 , e 7 ) =1 



(10) 



(11) 



H(e 8 ) etx 



(12) 



V t3 (t i, t 2 ) 



= 1 



(13) 



e 2 - H(t 3 ) 



(14) 



The above formulas (8) 



and (9) mean 



verification of validity of the session information. 
According to the verification, fraud such as storing a 
token exchange format in a user apparatus other than 
the user apparatus 2 0 0b, reproducing a token by reusing 
the token exchange format or the like is prevented. 



validity of the signer of the token exchange format. 
According to this verification, tampering of the token 
exchange format can be prevented. 



key certificate of the signer. The formula (12) means 
verification that the signer of the key certificate is 
included in the accredited objects in the accredited 
information. The formula (13) means verification of 
the validity of the accredited information. The 
formula (14) means verification that the signer of the 
accredited information is the same as the issuer of the 
token. According to the above verification, it is 
verified that the tamper-proof capability of the source 
of the token exchange format is assured by a party 
trusted by the issuer. 

Step 2215) The control part 230b deletes e 4 
(=rub) from the number set Rub in the storing part 270b. 

Step 2216) The control part 230b adds (ei, 
e 2 ) to the set Cub in the storing part 270b. 

Step 2217) The control part 230b notifies the 



The formula (10) means verification for the 



The formula (11) means verification of the 
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control part 210b of the normal completion of the 
process . 

Step 2218) The control part 210b verifies 
that all formulas below are satisfied. If the 
5 verification fails, the process is interrupted and the 
control part 210a is notified of the interruption. If 
the verification succeeds, the control part 210a is 
notified of the normal completion of the process.^ 
ei= H(m) (15) 
io e 2 GIub (16) 

The formulas (15) and (16) mean verification 
that the sent token corresponds to the subject digital 
ticket and was issued by a proper issuer. According to 
the verification, it is verified that the transferred 
15 ticket is valid. 

When the issuer information is managed data 
by data in the control part 2 10b 7 e 2 G Iub (m) is 
substituted for the formula (16) . 

(3) Consuming the digital ticket 
20 The digital ticket consuming process from the 

user apparatus 2 00 to the collector apparatus 3 00 via 
the connection apparatus 400 will be described in the 
following . 

Fig. 20 is a sequence chart of the ticket 
25 consuming process according to an embodiment of the 
present invention. In the figure, the connection 
apparatus 400 existing between the user apparatus 200 
and the collector apparatus 300 is not shown. 

Step 3301) The control part 210 extracts a 
30 digital ticket m to be consumed from Mu which is 
included in the storing part 220. 

Step 3302) The control part 210 extracts the 
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accredited information (ti, t 2 , t 3 ) generated by the 
issuer of m from Tu included in the storing part 220. 

Step 33 03) The control part 210 sends m and 
(ti, t 2/ t 3 ) to the control part 310 of the issuer 
5 apparatus 300. 

Step 33 04) The control part 310 generates 
session information (si, s 2 ) according to the following 
procedure . 

(a) The control part 310 obtains a number r E from 
10 the number generation part 33 0. 

(b) The number r E is added to a number set R E in 
the storing part 340. 

(c) The session information (si, s 2 ) = (H(PkE), r E ) 
is generated. Here, PkE is a verification key held by 

15 the control part 310. 

Step 3305) The control part 310 sends the 
session information (si, s 2 ) to the control part 210 of 
the user apparatus 200. 

Step 3306) The control part 210 sends (si, 
20 s 2 ) and a hash value H (m) of the digital ticket to be 
consumed to the control part 23 0 of the tamper-proof 
apparatus 2 8 0. 

Step 3307) The control part 230 verifies that 
following formulas are satisfied for Cu which is stored 
25 in the storing part 270. 

3c 2 ( (H(m) , c 2 ) €=Cu) (17) 

When and if the verification fails, the 
process after that is interrupted and the control part 
210 is notified of the failure. 
30 The above formula (17) means verification 

that the token (H (m) , c 2 ) which corresponds to the 
digital ticket m to be consumed is stored in the 
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storing part 270 of the tamper-proof device 280. 

Step 33 08) The control part 23 0 obtains a 
token exchange format e=(ei, e 2/ e 3/ ' e 4/ e 5# e 6/ e 7 , e 8 ) 
by using the signature function S Pku which is included 
5 in the signature part 250 and verification keys PkU, 
PkA, and a key certificate (PkU, Sp^A (PkU) ) which are 
included in the control part 210. Each element of e is 
shown below. 
ei=H (m) 
10 e 2 =c 2 
e 3 -si 
e 4 =s 2 

e 5 = S Pku (H(m) || c 2 || s ± || s 2 ) 
e 6 = PkU 
15 e 7 = S PkA (PkU) 

e 8 = PkA 

Step 3309) The control part 230 of the 
tamper-proof device 280 deletes (11(111), c 2 ) from Cu when 
s 2 is positive. 

20 Step 3310) The control part 23 0 sends e to 

the control part 210 . 

Step 3311) The control part 210 sends e to 
the control part 310 of the collector apparatus 300. 

Step 3312) The control part 310 verifies that 
25 all formulas below are satisfied by using the 

authentication part 320. If the verification fails, 
the process is interrupted and the control part 210 of 
the user apparatus 200 is notified of the interruption. 
e 3 = H(PkE) (18) 
30 *e 4 ^ R E (19) 

V e6 (ei || e 2 || e 3 II e 4/ e 5 ) = 1 (20) 
V e8 (e 6 , e 7 ) =1 (21) 
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H(e 8 ) eti (22) 
V t3 (t i, t 2 ) =1 (23) 
e 2 = H(t 3 ) (24) 

The above formulas (18) and (19) mean 
5 verification of validity of the session information.. 
According to the verification, fraud such as storing a 
token exchange format to a collector apparatus other 
than the collector apparatus 3 00, reproducing a token 
by reusing the token exchange format or the like is 
10 prevented. 

The formula (2 0) means verification for the 
validity of the signer of the token exchange format. 
According to this verification, tampering of the token 
exchange format can be prevented. 

15 The formula (21) means verification of the 

key certificate of the signer. The formula (22) means 
verification that the signer of the key certificate is 
included in the accredited objects in the accredited 
information. The formula (23) means verification of 

20 the validity of the accredited information. The 

formula (24) means verification that the signer of the 
accredited information is the same as the issuer of the 
token. According to the above verification, it is 
verified that the tamper-proof capability of the source 

25 of the token exchange format is assured by a party 
trusted by the issuer. 

Step 3313) The control part 310 of the 
collector apparatus 300 deletes e 4 (=r E ) from R E in the 
storing part 340. 

30 Step 3314) The control part 310 verifies that 

all formulas below are satisfied. If the verification 
fails, the control part 210 of the user apparatus 200 
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is notified of the process interruption. If the 
verification succeeds, a service corresponding to m is 
provided to the consumer. 
ei= H(m) (25) 
e 2 €=i E (26) 

The formulas (25) and (26) means verification 
that the sent token corresponds to the subject digital 
ticket and was issued by a proper issuer. According to 
the verification, it is verified that the consumed 
ticket is valid. 

When the issuer information is managed data 
by data in the control part 310, e 2 g Ie (m) is 
substituted for the formula (26) . 

(4) Presenting the digital ticket 
Presentation of the digital ticket can be 
realized by modifying the process of the ticket 
consumption as follows. 

- The control part 310 generates (si, 
s 2 ) = (H(PkE), -r E ) in (c) of the step 3304. 

- A formula -e 4 ^ R E is substituted for the 
formula (19) in the step 3312. 

According to the above-mentioned 
modification, since s 2 becomes negative, (H (m) , c 2 ) is 
not deleted from Cu in step 3309. That is, it becomes 
possible to verify that the user apparatus has a valid 
digital ticket at the time of the presentation while 
the valid digital ticket remains in the user apparatus. 
Thus, the inspection of the digital tickets becomes 
possible . 

In the above descriptions (l)-(4), the sent 
token exchange format is not explicitly stored. On the 
other hand, storing the token exchange format in the 
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storing part 220 produces an effect. That is, the user 
apparatus can send the history of the token exchange 
format when sending m. As a result, it becomes 
possible to identify a fraudulent apparatus when fraud 
5 (double spending) is found. The fraud may be, for 
example, that the tamper-proof device 2 8 is cracked. 
(5) Returning the digital ticket 
The collector can return the digital ticket 
which has been consumed or presented to the issuer. 
10 Then, the issuer can pay a value to the collector. 

Accordingly, a value such as a fee can be paid to the 
issuer who has collected or inspected a digital ticket 
while preventing double-billing. 

In the following, the process for returning 
is will be described. 

The issuer apparatus 100 further includes a 
part (a storing part 160) for storing the token 
exchange format e and a part for storing or obtaining 
data m corresponding to the returned ticket and 
20 accredited information (t x , t 2 , t 3 ) . 

The process for returning the digital ticket 
which is consumed or presented at the issuer apparatus 
300 will be describe. 

Step 5501) The issuer apparatus 300 sends the 
25 token exchange format e which is consumed or presented 
to the issuer apparatus 100. 

Step 5502) The control part 100 of the issuer 
apparatus 100 verifies that a formula e 2 = H(Pkl) is 
satisfied in which e 2 is included in e. When and if 
30 the verification fails, the issuer apparatus is 

notified of the failure and the process is interrupted. 
According to the verification, it is verified that e 
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corresponds to the digital ticket which is issued by 
the issuer apparatus 100 itself. 

Step 5503) The control part 110 verifies that 
the formulas (20) - (22) are satisfied for e. When the 
5 accredited information (ti, t 2 , t3) is obtained via an 
unreliable route (for example, via the issuer) , the 
formulas (23) and (24) are also verified. In this 
case, when verifying the formula (24) , Pkl is 
substituted for t 3 . When the verification fails, the 

10 issuer apparatus 300 is notified of the failure and the 
process is interrupted. According to the verification, 
it is verified that e is circulated via a valid 
circulation route . 

Step 5504) The control part 110 verifies that 

is the tamper-proof capability of e 3 is not assured by any 
third party which is trusted by ti in which e 3 is 
included in e when e 4 is positive. Accordingly, it is 
verified that the valid token is not stored, that is, 
the right of the ticket is properly terminated due to 

20 consumption. 

Step 5505) The control part 110 stores e 
in the storing part 160. If e has been already stored 
in the storing part 160, the issuer apparatus 300 is 
notified of the failure and the process is interrupted. 
25 Step 5506) The issuer provides a value 

according to the returned digital ticket to the issuer. 
(6) Book of tickets 

A book of tickets can be realized by adding 
number information or time information to the token of 
30 the token exchange format. The number information is 
assumed to be the number of the ticket . 

Accordingly, when a plurality of digital 
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tickets issued by the same issuer and having the same 
contents are issued, the digital tickets can be treated 
properly and a plurality of same tokens can be sent 
effectively. 

5 Specifically, by modifying the above- 

mentioned embodiments, the book of tickets can be 
realized. 

- Number information c 3 is added to the token. 

- Number information e n is added to the token 
10 exchange format . 

- In the process of issuing the digital ticket, the 
number of tickets is specified as N when the token is 
generated (step 1102) . 

- In the process of transf erring/consuming the 

15 digital ticket, when the step 2207 or the step 3306 is 
performed, the number of the digital tickets to be 
transferred/consumed is specified as n. 

- In the process of transf erring/consuming the digital 
ticket, when it is verified that the token is stored in 

20 step 2208 or step 3307, it is verified that the number 
of the tickets is adequate. That is, it is verified 
that Cu includes (c x , c 2 , c 3 ) in which Ci=H(m) ric 3 n is 
satisfied . 

- When the token exchange format is generated in step 
25 1108, step 2209 or step 3308, e n =n is added and n is 

added and concatenated to the object to be signed in e 5 
such that Ci || c 2 II Si || s 2 II n is obtained. 

- In the process of transferring/consuming, when 
deleting the token (when s 2 is positive in step 2210 or 

30 step 3309), (H(m), c 2 , c 3 ) is deleted from C 0 only ^ 
when c 3 =n is satisfied. When c 3 < n, (H(m) , c 2 , c 3 ) 
in Cu is updated to (H(m) , c 2 , c 3 -n) . 
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- When verifying the token exchange format in step 
1111, step 2214 or step 3312, e n is added and 
concatenated to the object to be verified in the 
signature verification by e 5 (the formulas (3) , (10) 
5 and (20)) such that e x || e 2 II e 3 || e 4 II e n is obtained. 

- In the process of issuing/transf erring the 
digital ticket, when storing the token in step 1113 or 
step 2216, if C 0 already includes a token (ci, c 2 , c 3 ) 
in which ei=Ci and e 2 =c 2 are satisfied, the token (ci, 

10 c 2 , c 3 ) in Cu is updated to (ci, c 2 , c 3 + e n ) - 

- In the process of consuming/returning the 
digital ticket, the service or the value may be 
provided a plurality of times according to e n . 

(7) Retransmission control 
15 The token can be retransmitted while 

preventing reproduction after abnormal conditions such 
as unintentional disconnection of a route are 
encountered. In the following, the process for the 
retransmission will be described. Specifically, the 
20 following procedures are added to some steps in the 
above-mentioned embodiments . 

- The control part 110 or 230 retains the 
token exchange format e generated in step 1108, step 
2209 or step 3308. 

25 - The control part 210 or 310 notifies the 

control part 110 or 210 which sent the digital ticket 
of (si, s 2 ) when acknowledgment of receipt is sent in 
normal completion in step 1115, step 2218, or in 
providing a service in step 3 314. 

30 - The control part 110, 210 deletes the token exchange 
format corresponding to (si, s 2 ) after the 
acknowledgment of receipt is received. 
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• When carrying out retransmission, some steps 
of the above-mentioned embodiment are modified as shown 
below . 

- When the session information is obtained in 
5 step 1106, 2205 or 3304, the session information is not 

newly generated. Instead, the session information (si, 
s 2 ) stored in the storing part 220 or 340 is used. 

- In step 1108, steps 2208-2210, and steps 
3307-3309, if the control part 110 or 210 has e in 

io which (e 3 =Si ) fl (e 4 =s 2 ) is satisfied, e is not newly 
generated and the retained e is used. 

(8) Variations of issuing 

Since the issue of the digital ticket can be 
assumed to be ticket (token) generation and 

15 transferring the ticket logically, the digital ticket 
can be issued by using the ticket transferring process 
described below for example. The amount of processing 
necessary for the process increases as compared with 
the ticket issuing process described above, since the 

20 verification process of the ticket transferring is more 
complex than that of the ticket issuing. 

(8-1) Use of self -certificate 

According to the after mentioned process, the 
verification process of the token exchange format by 

25 the control part 230 is different between ticket 
issuing (step 1111) and ticket transferring (step 
2214) . Implementation cost can be decreased by 
unifying the verification process as one in step 2214. 
The control part 110 includes a key 

30 certificate (Pkl, S Pk i (Pkl)) by itself. As described 
below, by modifying the ticket issuing process, the 
process of the control part 23 0 which is in the 
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receiving side can be unified. 

- The issuer apparatus includes the self hash 
value H(Pkl) in the accredited object t x by the issuer 
when the accredited information generation part 150 

5 generates the accredited information in step 1103. 

- e 7 = Spki (Pkl) and e 8 = Pkl are used when the 
token exchange format e is generated in step 1108. 

- The formulas (8) -(14) are used instead of 
the formulas (1) - (4) when the token exchange format e 

io is verified in step 1111. U is substituted for Ub. 

(8-2) Issuing the digital ticket by a user 

apparatus 

As mentioned below, the user apparatus can 
issue the digital ticket by having a capability of 
15 generating a token issued by the user apparatus. 

The process will be described in the 
following. In the description,, it is assumed that data 
m is already generated. 

- The control part 210 provides a hash value 
20 H(m) of data m which corresponds to the digital ticket 

and the accredited object ti= {H(PkAi), H(PkA 2 ), 
H(PkAi)} to the control part 230. 

- The control part 230 stores (H (m) , H(PkU)) 
in the storing part 270 by using the verification key 

25 PkU. 

The control part 230 generates t 2 = 
S Pku (H(PkA 1 ) || H(PkA 2 ) || ... || H (PkAi) ) by using the 
signature part 250. 

- The control part 230 returns (ti, t 2 , t 3 = 
30 PkU) to the control part 210. The control part 210 
stores (ti, t 2/ t 3 ) in the storing part 220. After 
that, the digital ticket is sent. 
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The above-mentioned examples of returning the 
tickets, the book of the tickets, retransmission 
control, and variations of issuing can be applied to 
the first embodiment . 
5 Each element of the issuer apparatus 100, the 

user apparatus 200 or the collector apparatus 3 00 can 
be constructed by a program. The program can be stored 
in a disk unit connected to a computer which may be 
used as the issuer apparatus, the user apparatus or the 

10 collector apparatus. The program can be also stored in 
a transportable computer readable medium such as a 
floppy disk, a CD-ROM or the like. The program may be 
installed from the computer readable medium to a 
computer such that the present invention is realized by 

15 the computer . 

Fig. 21 is a block diagram showing a hardware 
configuration of such a computer. As shown in Fig. 21, 
the computer system includes a CPU 500 by which a 
process of a program is executed, a memory 501 for 

20 temporarily storing data and a program, an external 

storage unit 502 for storing data and a program to be 
loaded into the memory 501, a display 503 for 
displaying data, a keyboard 504 for inputting data or 
commands, and a communication processing unit 505 which 

25 enables the computer system to communicate with other 
computers via a network. The program is installed in 
the external storage unit 5 02 then loaded into memory 
501 and executed by the CPU 500. 

As mentioned above, according to the second 

30 embodiment of the present invention, the token can be 
transmitted only via routes which are trusted by the 
issuer and the user or the collector identified by the 



MARKED UP VERSION OF 
SUBSTITUTE SPECIFICATION 



-66- 



issuer. Thus, the occurrence of the token 
corresponding to the data being newly stored in the 
token storing part by a person other than the issuer 
indicated by the token issuer information in the token 
5 can be prevented. In addition, the occurrence of the 
token being reproduced to a plurality of the token 
storing parts while the token is transferred can be 
prevented . 

In addition, by regarding data with the token 

10 issued by a specific issuer as original, it becomes 
possible to restrict the number issuances of the 
original data by the issuer. 

Further, by using an information identifier 
such as an URL which exists in an network as data, an 

is access right of the information which can not be 

reproduced and can be transferred can be provided. 

Further, by using a ticket with the correct 
contents or by using an identifier of the ticket, only 
the ticket that has a valid token can be regarded as a 

20 valid ticket and a user or a collector can refuse a 

ticket other than the valid ticket. Thus, fraudulent 
use (for example, double spending and illegal 
reproduction) of the ticket can be prevented. 

Furthermore, by using a program as data of 

25 the present invention and by using the token issued by 
a specific issuer as a license of the program, illegal 
copying and use of the program can be prevented. In 
this case, the program execution apparatus can refuse 
to execute a program other than the program with the 

30 token. 

Further, by using music data or image data as 
data of the present invention, illegal copying and use 
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of the music data or image data, in which the token 
issued by a specific issuer is used as an appreciation 
right can be prevented. A display apparatus of the 
data or a playback apparatus can refuse to display or 
5 playback data other than the data with the token. 

- The present invention is not limited to the 
specifically disclosed embodiments, and variations and 
modifications may be made without departing from the 
scope of the invention. 
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ABS TRACT OF THE DISCLOSURE 

An original data circulation system for 
storing or circulating original data which is digital 
information is provided. The original data circulation 
5 system includes an issuer apparatus, a user apparatus 
and a collector apparatus. The issuer apparatus 
generates originality information including first 
information corresponding to the issuer apparatus and 
second information corresponding to data and sends the 

10 originality information. The user apparatus verifies 

the validity of the source apparatus of the originality 
information and stores the originality information when 
the validity is verified. The collector apparatus 
verifies the validity of the source apparatus of the 

15 originality information and processes data 

corresponding to the second information when the 
validity is verified. 
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